OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] Groups - xacml-3.0-administration-v1.0-wd30-diff.doc uploaded


+1 

b


> On Oct 31, 2014, at 4:36 AM, Erik Rissanen <erik@axiomatics.com> wrote:
> 
> Hi,
> 
> Regarding "discarded" or "NotApplicable", we discussed this in the past and we concluded that discarding is more correct since if the policy is not authorized, then it should be treated as if it did not exist.
> 
> For the current combining algorithms there is no difference, but it is conceivable that there could be combining algorithms where an N/A may be significant. For instance, imagine a voting based combining algorithm which requires that at least X percent of the policies in the policy set agree. In that case, adding unauthorized N/As to the combining algorithm could change the end result, and would be a potential attack vector.
> 
> Best regards,
> Erik
> 
> 
>> On 2014-10-30 07:23, Steven Legg wrote:
>> 
>> Hi Erik & Hal,
>> 
>>> On 30/10/2014 12:59 AM, Erik Rissanen wrote:
>>> Hi Hal,
>>> 
>>> Thanks. I understand the intent and it's correct as I can see. Section 4.10 could perhaps be formulated in a more clear manner by structuring it based on the three indeterminate cases:
>> 
>> I agree, especially in regard to describing the extended indeterminate value for policy P,
>> which the new draft doesn't do.
>> 
>>> Indet{DP}: first follow PP or PI edges. Then search again and follow DP or DI edges.
>> 
>> If both searches are successful, then policy P is treated as "Indeterminate{DP}";
>> otherwise, if only the first search is successful, then policy P is treated as
>> "Indeterminate{P}"; otherwise, if only the second search is successful, then policy P
>> is treated as "Indeterminate{D}"; otherwise, policy P is treated as "NotApplicable".
>> 
>> Note that the current text talks about discarding policy P when graph searches fail,
>> but combining algorithm definitions have cases for policies that are "NotApplicable"
>> rather than cases for policies that are discarded, so I think it is more appropriate
>> in this profile to use 'treated as "NotApplicable"' instead of 'discarded'.
>> 
>>> Indet{P}: search once and follow PP or PI edges
>> 
>> And if the search is successful, then policy P is treated as "Indeterminate{P}";
>> otherwise, policy P is treated as "NotApplicable".
>> 
>>> Indet{D}: search once and follow DP or DI edges.
>> 
>> And if the search is successful, then policy P is treated as "Indeterminate{D}";
>> otherwise, policy P is treated as "NotApplicable".
>> 
>> In section 4.8, this statement:
>> 
>>   "If it possible to reach a trusted policy in this manner,
>>    the policy P is treated as “Indeterminate” in combination of the policy set."
>> 
>> should read:
>> 
>>   "If it is possible to reach a trusted policy in this manner,
>>    the policy P is treated as “Indeterminate{P}” in combination of the policy set."
>> 
>> Note also the missing "is".
>> 
>> In section 4.9, this statement:
>> 
>>    "If it possible to reach a trusted policy in this manner,
>>     the policy P is treated as “Indeterminate” in combination of the policy set."
>> 
>> should read:
>> 
>>    "If it is possible to reach a trusted policy in this manner,
>>     the policy P is treated as “Indeterminate{D}” in combination of the policy set."
>> 
>> Regards,
>> Steven
>> 
>>> Best regards,
>>> Erik
>>> 
>>>> On 2014-10-28 20:10, Hal Lockhart wrote:
>>>> 
>>>> The new text is based on Steven’s comments from June 2011:
>>>> 
>>>> https://lists.oasis-open.org/archives/xacml-comment/201106/msg00004.html 
>>>> 
>>>> See Issue 98 in the wiki.
>>>> 
>>>> Please check to see if I got it right.
>>>> 
>>>> Hal
>>>> 
>>>> *From:*Erik Rissanen [mailto:erik@axiomatics.com]
>>>> *Sent:* Tuesday, October 28, 2014 10:38 AM
>>>> *To:* xacml@lists.oasis-open.org
>>>> *Subject:* Re: [xacml] Groups - xacml-3.0-administration-v1.0-wd30-diff.doc uploaded
>>>> 
>>>> Hi Hal,
>>>> 
>>>> I did a quick review and most of the changes are fine I think. The one to be careful about I guess is the extended indeterminate in the reduction algorithm. Was there previous discussion about that on the list, which could be reviewed to understand the thinking behind the solution?
>>>> 
>>>> Best regards,
>>>> Erik
>>>> 
>>>> On 2014-10-17 17:41, Hal Lockhart wrote:
>>>> 
>>>>    /Submitter's message/
>>>>    Diff file
>>>>    -- Hal Lockhart
>>>> 
>>>>    *Document Name*: xacml-3.0-administration-v1.0-wd30-diff.doc <https://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=54337>
>>>> 
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> 
>>>> 
>>>>    *Description*
>>>>    Differences between WD 29 and WD 30
>>>>    Download Latest Revision <https://www.oasis-open.org/apps/org/workgroup/xacml/download.php/54337/latest/xacml-3.0-administration-v1.0-wd30-diff.doc>
>>>>    Public Download Link <https://www.oasis-open.org/committees/document.php?document_id=54337&wg_abbrev=xacml>
>>>> 
>>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>> 
>>>> 
>>>>    *Submitter*: Hal Lockhart
>>>>    *Group*: OASIS eXtensible Access Control Markup Language (XACML) TC
>>>>    *Folder*: Specifications and Working Drafts
>>>>    *Date submitted*: 2014-10-17 08:41:02
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]